A North Korean ransomware threat, known as “H0lyGh0st,” boasts of helping the poor by attacking businesses and demanding payment for a file decryption key. Although this threat actor claims a “Robin Hood” style purpose of closing the wealth gap by taking from the rich, its attack pattern reveals a less than “holy” mission.
The group behind H0lyGh0st started targeting organizations with ransomware in June 2021. Targets include small and medium-sized businesses that are likely running on minimal budgets for security. Multiple variants of H0lyGh0st have been developed since its inception, each with increased functionality and malicious intent.
It's possible that the threat actor responsible for H0lyGh0st has a connection to global geopolitical activity. First tracked by Microsoft under the name “DEV-0530,” this actor is believed to have ties with PLUTONIUM, a North Korean threat group that has been active since 2014. H0lyGh0st and PLUTONIUM share the same infrastructure, along with custom malware controllers that have similar names. H0lyGh0st has also been found communicating with known PLUTONIUM email accounts.
Victims of H0lyGh0st ransomware infection risk more than just financial burdens. This threat can cause significant corruption of data and reputational damage, regardless of whether the victim pays the ransom.